Below is my search.
What I need is to have the time related to that error also saved(Timen) and then shown in the final result which has result of another subsearch.
When I run it, I am getting the value of only FIELDNAME1 and not Timen.
index!=_internal "error" " |eval Timen=strftime(_time,"%m/%d/%y %T")| accum Timen| rex "(?i)text>(?P[^<]+)" | dedup FIELDNAME | map search="search index!=_internal $FIELDNAME$" | search "error1 " |rex "(?i)text1=(?P[^]]+)" | rex "(?i)text2=(?P[^]]+)" | eval Time=strftime(_time,"%m/%d/%y %T")| table FIELDNAME1 Time Timen
Give this a try
index!=_internal "error" |eval Timen=strftime(_time,"%m/%d/%y %T")| rex "(?i)text\>(?P<FIELDNAME>[^\<]+)" | dedup FIELDNAME | table Timen FIELDNAME | map search="search index!=_internal $FIELDNAME$ | eval Timen=\"$Timen$\"" | search "error1 " |rex "(?i)text1=(?P<FIELDNAME1>[^\]]+)" | eval Time=strftime(_time,"%m/%d/%y %T")| table FIELDNAME1 Time Timen
Give this a try
index!=_internal "error" |eval Timen=strftime(_time,"%m/%d/%y %T")| rex "(?i)text\>(?P<FIELDNAME>[^\<]+)" | dedup FIELDNAME | table Timen FIELDNAME | map search="search index!=_internal $FIELDNAME$ | eval Timen=\"$Timen$\"" | search "error1 " |rex "(?i)text1=(?P<FIELDNAME1>[^\]]+)" | eval Time=strftime(_time,"%m/%d/%y %T")| table FIELDNAME1 Time Timen
One more question. What if i have to display the FIELDNAME along with Timen?
It doesnt work. It displays $Timen and not the value
Oops, missed a $ sign there. Try now.
Perfect. It works. Thanks a lot for your kind help on this!!!
Okay i found that this doesnt actually provide the result i am expecting. Let me correct my quetion. I need to know the time of the exact FIELDNAME which matches with the error1 field. (There can be multiple results for that fieldname initially and the timen is showing the latest one for that)
The field names are stripped off in the question, making is difficult to understand. Apart from correcting that, could you also, describe your requirement here in little more details?
index!=_internal "error" " |eval Timen=strftime(_time,"%m/%d/%y %T")| rex "(?i)text>(?P[^<]+)" | dedup FIELDNAME | map search="search index!=_internal $FIELDNAME$" | search "error1 " |rex "(?i)text1=(?P[^]]+)" | eval Time=strftime(_time,"%m/%d/%y %T")| table FIELDNAME1 Time Timen
I want to display the field Timen in my results. Currently it displays only FIELDNAME1 and Time and not Timen